SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Now that I think about it, wasn't Jia Tan & friends' modus operandi awfully similar to how ZhaoLin and the Russian dude whose nick I forgot usually behave?
A person's behavior and Modus Operandi are not the same thing. One is not proof of the other. Although situations like this will result in a lot of finger pointing since behavior and attitude are often used to establish trust in the absense of actual evidence.
While both may have opinions on Slackware I disagree with, their contributions haven't been malicious in the slightest. Huge difference. Borderline xenophobic?
Someone made a joke on Reddit about the bad actor(s) name. Very funny.
But the discussion has raised a lot of valid questions...
Including this long game by was luckily discovered, but how many may not have been. Open source vs closed source, etc https://www.reddit.com/r/linux/comme...ibzma_already/
The funny stuff: JIA CHEONG TAN
CIA JHEONG TAN
CIA JHON EGTAN
CIA JOHN AGENT
CIA AGENT JOHN Case closed
While both may have opinions on Slackware I disagree with, their contributions haven't been malicious in the slightest. Huge difference. Borderline xenophobic?
There is nothing xenophobic about not liking someone who has a reputation for being an asshole. Maybe it's a translation error, but even then a reasonable person would back away from a conversation once they see that their statements are causing frustration. LC in particular seems unable to grasp that concept - in addition to his weird conspiracy rants.
But to stay on topic there's nothing inherently malicious about someone being a dumbass. What is interesting is that bad behavior or COO (during a time of crisis) will often be used to approximate who is, and who is NOT trust worthy. This isn't racism or xenophobia, it's just human nature when the chain of trust is broken.
Given that this whole exploit is rooted in "who do we trust" we need to be aware that a lot of people are immediately going to start looking for other bad actors. It would behoove everyone in the FOSS/Linux world to take a deep breath and avoid jumping to conclusions. Even the most well-intentioned person can sometimes get it wrong.
And still, I would say that it has been times and views that has changed rather than Slackware. Since the beginning in the early 90s the Slackware installation has allways been the same: Manually partitioning of disk before running installation scripts and bootloader settings by scripts at the end of the installation.
There might be other distributions out there that are easier to install, but once you have installed Slackware you have a system that you understand.
regards Henrik
I know this is off topic, but Slackware isn't difficult to install.. The issue however is as soon a an OS use some kind of automatic partitioning to install, it becomes an inherently unsafe installation method, because in general it just does "whipe the whole disk, create random partition scheme and install". This is the approach of Windows and several GNU/Linux distros. But unlike Windows it is not dangerous to insert the install medium with the Linux distros at the very least, as they don't automatically destroy everything by default.
Given that this whole exploit is rooted in "who do we trust" we need to be aware that a lot of people are immediately going to start looking for other bad actors. It would behoove everyone in the FOSS/Linux world to take a deep breath and avoid jumping to conclusions. Even the most well-intentioned person can sometimes get it wrong.
Yes, but it's concerning (to put it mildly) that a "tongue-in-cheek" post about those two being malicious actors was even made. Both have had several credits in the changelog, and there's nothing to suspect them putting backdoors in anything. I guess we're agreeing more than we're disagreeing, here. An accusation like that shouldn't be a joke--it's a very serious thing that leads down a slippery slope I don't think the FOSS community is ready to accept. I don't think it's an accident, either, that the finger was pointed (admittedly as a "joke") to the two people most "foreign" to the average slacker. I mean, if the Linux community is at risk by difficult personalities, quirky personalities, and people who are sometimes jerks or have weird conspiracy theories, then there are a *lot* of those types in the Linux community. (Anyone remember usenet? It was a wild place in the late 90's...)
This is clearly a very complex state-sponsored operation with impressive sophistication and multi-year planning. Such a complex and professionally designed comprehensive implantation framework is not developed for a one-shot operation. It could already be deployed elsewhere or partially reused in other operations. That’s exactly why we started focusing on more generic detection for this complex backdoor.
That's because it could have been a "Solar Winds" type exploit for the linux community. Hats off to Andres Freund.
Yes, but it's concerning (to put it mildly) that a "tongue-in-cheek" post about those two being malicious actors was even made. Both have had several credits in the changelog, and there's nothing to suspect them putting backdoors in anything. I guess we're agreeing more than we're disagreeing, here. An accusation like that shouldn't be a joke--it's a very serious thing that leads down a slippery slope I don't think the FOSS community is ready to accept. I don't think it's an accident, either, that the finger was pointed (admittedly as a "joke") to the two people most "foreign" to the average slacker. I mean, if the Linux community is at risk by difficult personalities, quirky personalities, and people who are sometimes jerks or have weird conspiracy theories, then there are a *lot* of those types in the Linux community. (Anyone remember usenet? It was a wild place in the late 90's...)
I more-or-less agree, but I also don't think going completely the opposite direction and saying that "people in the FOSS world are quirky" is an effective refutation. A contributor is malicious because their contributions are malicious. Saying that someone has multiple mentions in the changelog serves no purpose other than dismiss the claim. In this specific situation the claim was made in jest.. but if the accusation had been real then you were just throwing fuel on the fire.
If we look at this from the perspective that a Trusted contributor can turn out not to be trusted, then that concept applies to all of us. The exploit here was from someone who had a history of being a positive part of the community, until suddenly he wasn't.
What I'm saying is that we need to re-think how we deal with such accusations. A sarcastic joke on a text-based forum isn't particularly helpful for obvious reasons. But running in the complete opposite direction and defending a contributor by saying "he has multiple contributions" is literally just setting everyone up for a tribal fight. Like with anything in computers, you have an idea or intent, and then an IMPLEMENTATION of that idea. Creating a tribal fight seems like a pretty crappy way to resolve conflict IMO.
Case in point - I contributed a patch involving shared library search paths. Does that mean everything I say or do from this moment on is authentic? Seem innocent enough. Or am I just setting up pathing for a later exploit?
I more-or-less agree, but I also don't think going completely the opposite direction and saying that "people in the FOSS world are quirky" is an effective refutation. A contributor is malicious because their contributions are malicious. Saying that someone has multiple mentions in the changelog serves no purpose other than dismiss the claim.
Because you and madridsecreto insinuate that me and LuckyCyborg had malicious contributions, please punctually and specifically say here in detail what these malicious contributions of mine and his are.
It seems absurd to me that from this XZ backdoor you and madridsecreto end up accusing me of malicious contributions.
And for trivia, this JIA CHEONG TAN is not a Chinese name of a person. These are three Chinese surnames, the first two being old Cantonese or Hong Kong surnames. I think you probably find more Cheong in the North American continent than in all of mainland China or Taiwan.
I have no experience with the secret services, but it seems absurd to me that Messrs. Jia, Cheong and Tan to blatantly sign "who did it" in an undercover mission.
My personal opinion is that they are the same Chinese Americans who insinuated racism when Linus Torvalds ordered to be removed from the Linux kernel any contribution of the university that shelters them.
P.S. For those who have a hard time remembering LuckyCyborg's username, his name is Ivan. He's a Russian named Ivan. Simple, right?
Last edited by ZhaoLin1457; 04-02-2024 at 04:14 PM.
Now that I think about it, wasn't Jia Tan & friends' modus operandi awfully similar to how ZhaoLin and the Russian dude whose nick I forgot usually behave?
It's exactly the same
They gained the maintainer's trust by offering patches (among others things you can review in the changelog)
That's why, today, we have an excellent Slackware with great kde/wayland/pipewire integration
Thanks to them
Because you and madridsecreto insinuate that me and LuckyCyborg had malicious contributions, please punctually and specifically say here in detail what these malicious contributions of mine and his are.
It seems absurd to me that from this XZ backdoor you and madridsecreto end up accusing me of malicious contributions.
If we look at this from the perspective that a Trusted contributor can turn out not to be trusted, then that concept applies to all of us. The exploit here was from someone who had a history of being a positive part of the community, until suddenly he wasn't.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.